Add image scanner action

Signed-off-by: Pete Wall <[email protected]>
grafana · Jan 7, 2025 · 3c10ca5 · 3c10ca5
1 parent ddc20ba
commit 3c10ca5
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 7 deletions.
diff --git a/.github/workflows/scan-chart-images.yml b/.github/workflows/scan-chart-images.yml
@@ -0,0 +1,67 @@
+---
+name: Scan Chart Images
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - 'charts/k8s-monitoring/docs/examples/**'
+  pull_request:
+    paths:
+      - 'charts/k8s-monitoring/docs/examples/**'
+  workflow_dispatch:
+
+jobs:
+  list-container-images:
+    name: List Container Images
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.list_images.outputs.images }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install yq
+        uses: dcarbone/[email protected]
+
+      - name: List Container Images
+        id: list_images
+        working-directory: charts/k8s-monitoring
+        run: |
+          files=$(find docs/examples -name output.yaml)
+          touch images.txt
+          for file in $files; do
+            if [ "${file}" == "docs/examples/private-image-registries/output.yaml" ]; then
+              continue
+            fi
+            {
+              yq -r -o json '. | select(.kind=="DaemonSet") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Deployment") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Job") | .spec.template.spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="Pod") | .spec.containers[].image' "${file}"
+              yq -r -o json '. | select(.kind=="StatefulSet") | .spec.template.spec.containers[].image' "${file}"
+            } >> images.txt
+          done
+          echo "images=$(sort --unique < images.txt | jq --raw-input --slurp --compact-output 'split("\n") | map(select(. != ""))')" >> "${GITHUB_OUTPUT}"
+
+  scan-container-images:
+    name: Scan Container Images
+    needs: list-container-images
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        image: ${{ fromJson(needs.list-container-images.outputs.images) }}
+      fail-fast: false
+    steps:
+      - name: Run Trivy
+        uses: aquasecurity/[email protected]
+        with:
+          token-setup-trivy: ${{ secrets.GITHUB_TOKEN }}
+          image-ref: ${{ matrix.image }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/test-v1.yml b/.github/workflows/test-v1.yml
@@ -80,17 +80,11 @@ jobs:
       - name: Install Helm
         uses: azure/setup-helm@v4
 
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.9'
-          check-latest: true
-
       - name: Set up chart-testing
         uses: helm/chart-testing-action@v2
 
       - name: Install yq
-        run: pip install yq
+        uses: dcarbone/install[email protected]
 
       - name: Install ShellSpec
         run: |